通过分布式查询速率共享防范DNS DDoS放大攻击

2016 11th International Conference on Availability, Reliability and Security (ARES) Pub Date : 2016-08-01 DOI:10.1109/ARES.2016.93

Saurabh Verma, Ali Hamieh, J. Huh, Henrik Holm, S. R. Rajagopalan, Maciej Korczyński, N. Fefferman

{"title":"通过分布式查询速率共享防范DNS DDoS放大攻击","authors":"Saurabh Verma, Ali Hamieh, J. Huh, Henrik Holm, S. R. Rajagopalan, Maciej Korczyński, N. Fefferman","doi":"10.1109/ARES.2016.93","DOIUrl":null,"url":null,"abstract":"An Amplified DNS DDoS (ADD) attack involves tens of thousands of DNS resolvers that send huge volumes of amplified DNS responses to a single victim host, quickly flooding the victim's network bandwidth. Because ADD attacks are distributed, it is difficult for individual DNS resolvers to detect them based on local DNS query rates alone. Even if a victim detects an ADD attack, it cannot stop the attacker from flooding its network bandwidth. To address this problem, we present a novel mitigation system called\"Distributed Rate Sharing based Amplified DNS-DDoS Attack Mitigation\" (DRS-ADAM). DRS-ADAM facilitates DNS query rate sharing between DNS resolvers that are involved in an attack to detect and completely stop an ADD attack. Each DNS resolver quickly builds the global DNS query rate for potential victims by accumulating the shared rate values, and uses that global rate to make mitigation decisions locally. DRS-ADAM can be easily deployed through a small software update on resolvers and victim hosts, and does not require any additional server component. Our simulation results show that DRS-ADAM can contain the peak attack rates close to a victim's acceptable threshold values (which are far smaller than their sustainable bandwidth) at all times, regardless of the number of resolvers involved in ADD attacks. ADD attacks can be fully mitigated within a few seconds.","PeriodicalId":216417,"journal":{"name":"2016 11th International Conference on Availability, Reliability and Security (ARES)","volume":"723 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":"{\"title\":\"Stopping Amplified DNS DDoS Attacks through Distributed Query Rate Sharing\",\"authors\":\"Saurabh Verma, Ali Hamieh, J. Huh, Henrik Holm, S. R. Rajagopalan, Maciej Korczyński, N. Fefferman\",\"doi\":\"10.1109/ARES.2016.93\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"An Amplified DNS DDoS (ADD) attack involves tens of thousands of DNS resolvers that send huge volumes of amplified DNS responses to a single victim host, quickly flooding the victim's network bandwidth. Because ADD attacks are distributed, it is difficult for individual DNS resolvers to detect them based on local DNS query rates alone. Even if a victim detects an ADD attack, it cannot stop the attacker from flooding its network bandwidth. To address this problem, we present a novel mitigation system called\\\"Distributed Rate Sharing based Amplified DNS-DDoS Attack Mitigation\\\" (DRS-ADAM). DRS-ADAM facilitates DNS query rate sharing between DNS resolvers that are involved in an attack to detect and completely stop an ADD attack. Each DNS resolver quickly builds the global DNS query rate for potential victims by accumulating the shared rate values, and uses that global rate to make mitigation decisions locally. DRS-ADAM can be easily deployed through a small software update on resolvers and victim hosts, and does not require any additional server component. Our simulation results show that DRS-ADAM can contain the peak attack rates close to a victim's acceptable threshold values (which are far smaller than their sustainable bandwidth) at all times, regardless of the number of resolvers involved in ADD attacks. ADD attacks can be fully mitigated within a few seconds.\",\"PeriodicalId\":216417,\"journal\":{\"name\":\"2016 11th International Conference on Availability, Reliability and Security (ARES)\",\"volume\":\"723 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"9\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 11th International Conference on Availability, Reliability and Security (ARES)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ARES.2016.93\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 11th International Conference on Availability, Reliability and Security (ARES)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ARES.2016.93","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

摘要

ADD (Amplified DNS DDoS)攻击是指成千上万的DNS解析器向一台受害主机发送大量的DNS响应，迅速淹没受害主机的网络带宽。由于ADD攻击是分布式的，单个DNS解析器很难仅根据本地DNS查询率检测到ADD攻击。即使受害者检测到ADD攻击，也无法阻止攻击者将其网络带宽淹没。为了解决这个问题，我们提出了一种新的缓解系统，称为“基于分布式速率共享的放大DNS-DDoS攻击缓解”(DRS-ADAM)。DRS-ADAM使参与攻击的DNS解析器之间能够共享DNS查询速率，从而检测并彻底阻止ADD攻击。每个DNS解析器通过累积共享速率值，快速构建潜在受害者的全局DNS查询速率，并使用该全局速率在本地做出缓解决策。DRS-ADAM可以通过在解析器和受害主机上进行一个小的软件更新来轻松部署，并且不需要任何额外的服务器组件。我们的仿真结果表明，无论ADD攻击中涉及的解析器数量如何，DRS-ADAM在任何时候都可以包含接近受害者可接受阈值(远小于其可持续带宽)的峰值攻击率。ADD攻击可以在几秒钟内完全缓解。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Stopping Amplified DNS DDoS Attacks through Distributed Query Rate Sharing

An Amplified DNS DDoS (ADD) attack involves tens of thousands of DNS resolvers that send huge volumes of amplified DNS responses to a single victim host, quickly flooding the victim's network bandwidth. Because ADD attacks are distributed, it is difficult for individual DNS resolvers to detect them based on local DNS query rates alone. Even if a victim detects an ADD attack, it cannot stop the attacker from flooding its network bandwidth. To address this problem, we present a novel mitigation system called"Distributed Rate Sharing based Amplified DNS-DDoS Attack Mitigation" (DRS-ADAM). DRS-ADAM facilitates DNS query rate sharing between DNS resolvers that are involved in an attack to detect and completely stop an ADD attack. Each DNS resolver quickly builds the global DNS query rate for potential victims by accumulating the shared rate values, and uses that global rate to make mitigation decisions locally. DRS-ADAM can be easily deployed through a small software update on resolvers and victim hosts, and does not require any additional server component. Our simulation results show that DRS-ADAM can contain the peak attack rates close to a victim's acceptable threshold values (which are far smaller than their sustainable bandwidth) at all times, regardless of the number of resolvers involved in ADD attacks. ADD attacks can be fully mitigated within a few seconds.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2016 11th International Conference on Availability, Reliability and Security (ARES)

自引率

0.00%

发文量